Recent Posts

When 29-year-old Albert Gonzalez pleaded guilty early this year to the largest hacking and identity-theft case in U.S. history, he didn’t have much to say. “I blame nobody but myself,” he told the judge.

But Gonzalez could have talked about plenty: He masterminded the capture and exposure of more than 170 million credit and debit card numbers. He worked as an informant for the U.S. Secret Service on cybercrimes, while at the same time mounting some of the largest single-system data breaches anyone has ever seen.

Gonzalez and his team breached several major retail enterprises, including TJX Companies, the parent corporation of T.J.Maxx, OfficeMax, Barnes & Noble and Sports Authority, gaining direct access to the stores’ point-of-sale terminals. When a card was swiped, Gonzalez’s software automatically sent him a message, like an email, with the card information attached. All told he cost companies such as TJX and others more than $400 million in damages, reimbursements and legal fees.

So what motivates Gonzalez and hackers like him? Is it more than money?

It’s “a combination of challenge, ego and greed—in that order,” said Kimberly Peretti, who, as the lead prosecutor in the case against Gonzalez, is uniquely qualified to know. Described by The New York Times in a November story as the person who “knows Gonzalez as well as almost anyone in government,” Peretti now works for PWC as a director in the U.S. Forensic Technology Solutions practice.

“Hacking was Gonzalez’s area of expertise, so it gave him this large sense of accomplishment to get into systems that have security in place and work around it,” she said. “We learned about the ease with which cybercriminals can hide their tracks on the Internet, but they do leave tracks and it’s possible to investigate, identify, apprehend and convict them,” Peretti continued. “Now the hacking community knows the stakes.

The 20-year sentence for Gonzalez is the most significant ever issued to a cybercriminal. It equals the most severe punishments handed down to major white-collar criminals.

“Reasonable security practices will prevent most types of cybercrime, yet Gonzalez and hackers like him operate on a different level, Peretti said.

“Businesses need to heighten their awareness and ability to detect cybercriminals in their system. Oftentimes a company only spots an attack when it looks through old logs and other indicators, when they’re specifically looking for evidence. We saw in the Gonzalez case that he had unfettered access for months and even years.”

The new security approach needs to be detection-based, she said, stopping hackers on their way in the door, rather than after they’ve left the system with stolen money or information.

“That detection is really what we’re developing in the new field of cyberforensics. A lot of criminal groups and state-sponsored groups are so sophisticated that you need experts who know where to look and what to look for. It’s essential now, because of the difficulty and complexity of these crimes.”